Cross-Site Scripting Vulnerability in MantisBT Software by MantisBT
CVE-2020-16266

5.4MEDIUM

Key Information:

Vendor

Mantisbt

Status
Vendor
CVE Published:
12 August 2020

What is CVE-2020-16266?

A Cross-Site Scripting (XSS) vulnerability exists in MantisBT prior to version 2.24.2 due to improper data escaping in the view_all_bug_page.php file. This flaw enables a remote attacker to inject malicious HTML code into the application by manipulating a Custom Field. As a result, any user who views the affected issue may inadvertently execute harmful scripts in their browser, especially if Content Security Policy (CSP) settings do not adequately restrict such actions.

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.